Solved

How can I stop warning re mysterious trojan or clean my PC of mchinjdrv.sys?

Posted on 2008-10-03
9
886 Views
Last Modified: 2013-12-04
Recently my AVG software has reported on startup that a trojan threat has been detected in c:\windows\system32\drivers\mchinjdrv.sys.

I've done some research and some say that this is a legit thing and others say it is indeed a trojan threat.  When the warning appears I can choose to Heal but it can't find the file so can't heal it.  I can choose to move it to the Virus Vault but as it can't find it there's nothing to move.  If I choose to Ignore it the box goes away but reappears again on startup.

Regedit won't let me chop the Legacy entries out of the registry and a search of the whole PC (including hidden files) can't find this file either.  I've run a full AVG virus scan and that comes up clean as do scans with Advanced WIndowsCare, RegCure, XsoftSpy and a scanner I tried from Sophos which claimed to search for hidden rootkits.

I've seen a similar issue reported in EE and it mentions something called Rootkit Unlocker (or something like that) but when I looked in to that there was some doubt about it as someone alleged that this software added something to the system to defend against it ever being removed so in a way that's almost as bad as this current possible security risk.

The only way I can see to rid myself of this dialog is to add an exclusion in AVG not to reference systems32\drivers when it starts up which is convenient but hardly secure.

Can anyone advise on how I can get rid of this thing?  Whether it's legit or not, if it poses a threat I'd rather not have it hanging around!  I'm running XP inc SP3 and all latest patches and AVG v8.

Thanks in advance.
0
Comment
Question by:funasset
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 16

Expert Comment

by:JoWickerman
ID: 22632493
Hi,

Try the following:

Download process explorer from any site. (ProcessExplorer.zip)
Run Process Explorer
Find the process mchinjdrv.sys tree
Kill tree
Go to dos prompt
c:\> dir /S /AH /L mchinj*.sys
If you find the file:
attrib -s -h -r mchinjdrv.sys
rename mchinjdrv.sys mchinjdrv.old

Delete mchinjdrv.old

I think this should work.

Let me know,
Cheers.
0
 
LVL 5

Expert Comment

by:MattRichardson
ID: 22632756
0
 

Author Comment

by:funasset
ID: 22633663
Thanks - I'll look in to both of these when I get home.

I'll get back to you!
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:funasset
ID: 22636059
Nope.  Tried the ProcessExplorer and there was no entry for mchinjdrv.sys and it didn't show up in DOS using the search either.  I'm mystified as to where this damned thing is!!
0
 
LVL 2

Expert Comment

by:ThinkSmartInc
ID: 22638843
I did some digging for you on this issue. mchinjdrv.sys is for MadCodeHook Injection Driver.  It is used in programs like Spy Sweeper to do injection tests in order to catch malicious code.  Unfortunately, the way it's loaded is that the file is dropped just long enough to load into memory and then is deleted, hence why you can never locate it.  If you are using Spy Sweeper, I'd recommend putting it into your exemption list, or use another Anti-Spyware program.  Below are a couple of sites that you can check out to give you more information regarding mchinjdrv.sys:

http://forums.comodo.com/virusmalware_removal_assistance/mchinjdrvsys-t9257.0.html

http://www.wilderssecurity.com/showthread.php?t=47024
0
 

Author Comment

by:funasset
ID: 22640052
Thanks for the links and I appreciate the digging.  It's a pesky little so-and-so isn't it.

It's AVG's Resident Shield that complains about it - I guess a recent signature update is why it's suddenly picking it up.  The trouble is that as far as I can see I can't add this specific file reference to it's exceptions list.  I can only add the path so that will mean telling AVG not to look in the whole system32\drivers directory which doesn't seem safe to me.  

I thought AVG was one of best AV/anti-spam tools around so if I have to replace it in order to get rid of this warning I'm not entirely sure what to put in it's place.  I can't find an email address or URL to contact the makers of AVG directly either so that I can pick their brains.  Tricky.

0
 
LVL 2

Accepted Solution

by:
ThinkSmartInc earned 500 total points
ID: 22664600
You can go to http://www.avg.com/support-technical and enter your license from AVG to get support.
0
 

Author Comment

by:funasset
ID: 22667397
Thanks.  In the past couple of days the warning hasn't appeared on startup 9 out of 10 times - why it appears on the other 1 occasion I really don't know.  I've scanned my PC with everything I can get my hands on and all reports indicate no infection so although this hook can be used by nasty hackers who need to get out more, it would seem that in this instance it is indeed a false positive and I'll have to contact AVG.

I appreciate your help.

Cheers.
0
 

Author Closing Comment

by:funasset
ID: 31502689
Many thanks for your efforts.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question